Compliance Certification Clears One Hurdle for Multiple States
StateRAMP calls the approach “verify once, use many.”
“We don’t need to do this 50 different ways, or even the same way 50 different times,” Sloan said. “We should be able to come up with a way for one entity to be able to do the verification, to be able to share the verification information with states where states can trust it.”
In Georgia, for example, the state government is already asking vendors to describe their security controls as they relate to the National Institute of Standards and Technology (NIST) Special Publication 800-53, a set of security and privacy controls for information systems and organizations.
“In many cases, they are mapping to NIST as a one-off for just our procurement, and we have to evaluate how each vendor is meeting the control for potentially 200-plus controls,” Georgia CTO Steve Nichols says. That’s why joining StateRAMP was particularly appealing to his state.
“StateRAMP certification moves this whole mapping and evaluation process upstream into the certification process. In the procurement, this would significantly decrease our work — and the vendors’ work — to evaluate the vendor’s security posture,” Nichols says. “We are all solving for the same problems here. We’ve seen a lot of benefit in pooling resources, so a state-specific version of FedRAMP was an easy sell for us.”
Another perk of StateRAMP is that it provides ongoing continuous monitoring — another benefit that appealed to Nichols and his Massachusetts counterpart, Sean Hughes, whose state is in the process of joining the organization.
By becoming a member of StateRAMP, Massachusetts will be able to “better manage third-party risk while verifying the security of service providers via a continuous security assessment framework and monitoring,” says Hughes, the assistant secretary for technology, security and operations and COO.
“While FedRAMP has been known for years, Massachusetts is appreciative of the foresight that states like Arizona showed in 2020 to organize StateRAMP for state and local governments,” he says.
A list of StateRAMP authorized products can be viewed on the organization’s website.